asked on
Have configuration question with ISA2006
Have ISA configured in Single Network Configuration being used as a proxy server.
between hours 8-5 I have users limited to a set of allowed sites. I am using the schedule to define when active. this would be rule 1 in the firewall section, Rule 2 is the default deny all.
The customer would like to allow Internet access between 7-8AM, 12-1PM and after 4PM.
I have tried setting up rule #2 to allow by schedule unfettered access to the internet on those hours,
The action is allow, protocols all, from (the listed of managed workstations) to: default External, no exceptions. users all, schedule with about times and no blocking of content types.
What happens is that the users get blocked from any site, if I creating a special URL group with specfic address in it, the rule appears to work. Any way to give full Internet access?
thanks
between hours 8-5 I have users limited to a set of allowed sites. I am using the schedule to define when active. this would be rule 1 in the firewall section, Rule 2 is the default deny all.
The customer would like to allow Internet access between 7-8AM, 12-1PM and after 4PM.
I have tried setting up rule #2 to allow by schedule unfettered access to the internet on those hours,
The action is allow, protocols all, from (the listed of managed workstations) to: default External, no exceptions. users all, schedule with about times and no blocking of content types.
What happens is that the users get blocked from any site, if I creating a special URL group with specfic address in it, the rule appears to work. Any way to give full Internet access?
thanks
Microsoft Forefront ISA Server
Last Comment
fxkeough
What if you put "All networks (and Local host)" as destination?
rule 1 needs to be a deny for the users you want to block giving a schedule with the blocked hours
rule 2 needs to be an allow all users using the schedule allow always
rule 3 will be the deny all
rule 2 needs to be an allow all users using the schedule allow always
rule 3 will be the deny all
ASKER
CheeseLover - will give that a try at my next testing interval this evening.
Keith, not sure if I follow, I have 3 rules, the 1) limited access during the day to selected sites, and then hopefully a open period covering not working hours, and 3rd, the default deny rule that is there by default.
I thought what would happen was durning the time in the schedule when the access rule was marked inactive, it would fall through to rule 2, which was active when rule was was inactive, but it appears to just falling through to the default rule 3, which is to deny all access.
Keith, not sure if I follow, I have 3 rules, the 1) limited access during the day to selected sites, and then hopefully a open period covering not working hours, and 3rd, the default deny rule that is there by default.
I thought what would happen was durning the time in the schedule when the access rule was marked inactive, it would fall through to rule 2, which was active when rule was was inactive, but it appears to just falling through to the default rule 3, which is to deny all access.
OK - in your initial post you state rule 2 is the deny all.
This is a common requirement and you have the logic correct. The way it works is that when a schedule ceases to operate ie its time boundaries kick in) the rule effectively ceases to exist. For example, iy you put a rule in with a schedule to block traffic between 1 & 2PM, it does not operate by allowing all traffic, then blocking between 1 & 2, then allowing again afterwards. The rule is completely invisible until 1PM and then becomes invisible again at 2PM. Basically it does what you thought - outside of 1 - 2PM the rule 1 does not exist and the first rule to be executed would be the next one down.
There is a catch-out on this. The rules are actioned for NEW connections. In simple terms, if you have a connection to www.microsoft.com at 12.59 then it will not stop working at 1PM because the connection is already established. However, if a connection to a new site was attempted then that WOULD be blocked. The way this is got around is by putting a scheduler task in at the OS level to stop/restart the firewall service at 1PM. This takes about 10 seconds to run through on a reasonable box. You do NOT need to do this though when the normal schedule is reintroduced at 2PM.
The first rule though MUST be the deny - can you give me the exact syntax you have used?
This is a common requirement and you have the logic correct. The way it works is that when a schedule ceases to operate ie its time boundaries kick in) the rule effectively ceases to exist. For example, iy you put a rule in with a schedule to block traffic between 1 & 2PM, it does not operate by allowing all traffic, then blocking between 1 & 2, then allowing again afterwards. The rule is completely invisible until 1PM and then becomes invisible again at 2PM. Basically it does what you thought - outside of 1 - 2PM the rule 1 does not exist and the first rule to be executed would be the next one down.
There is a catch-out on this. The rules are actioned for NEW connections. In simple terms, if you have a connection to www.microsoft.com at 12.59 then it will not stop working at 1PM because the connection is already established. However, if a connection to a new site was attempted then that WOULD be blocked. The way this is got around is by putting a scheduler task in at the OS level to stop/restart the firewall service at 1PM. This takes about 10 seconds to run through on a reasonable box. You do NOT need to do this though when the normal schedule is reintroduced at 2PM.
The first rule though MUST be the deny - can you give me the exact syntax you have used?
ASKER
1st Rule:
Action: ALLOW
Protocols: ALL Protocols
From: Internet Restricted Computers (list of about 10 computers created in Network Objests/ Computer Sets
To: Approved Sites ( again a list of 10 approved sites,defined in URL
Users: All Users
Schedule: Active 8-4PM M-F (under created schedule)
Content Type: ALL Selected.
Rule 2 (currently deactived)
Action: ALLOW
Protocols: ALL Protocols
From: Internet Restricted Computers (list of about 10 computers created in Network Objests/ Computer Sets
To: External
Users: All Users
Schedule: Active 4PM-8AM and 12-1PM M-F (under created schedule)
Content Type: ALL Selected.
Rule 3 (active / default rule)
Action: DENY
FM: ALL Netoworks and Local Host
TO: ALL Netowrks and Local Host
Users: All Users
Schedule : Acitve 24 hours / 7 days
Content type: ALL
Hope that is what you were looking forward, I have created 2 schedules, Work Hours, (baskically 8-12, and 1-4PM, and Off Work, which is 4PM to 8AM.
Additionally Rule 1 and Rule 2 affect the same Computer Computer :Internet Restricted Groups"
Nothing else has changed except for management stations and the owner who is allowed as admin.
Thanks
Action: ALLOW
Protocols: ALL Protocols
From: Internet Restricted Computers (list of about 10 computers created in Network Objests/ Computer Sets
To: Approved Sites ( again a list of 10 approved sites,defined in URL
Users: All Users
Schedule: Active 8-4PM M-F (under created schedule)
Content Type: ALL Selected.
Rule 2 (currently deactived)
Action: ALLOW
Protocols: ALL Protocols
From: Internet Restricted Computers (list of about 10 computers created in Network Objests/ Computer Sets
To: External
Users: All Users
Schedule: Active 4PM-8AM and 12-1PM M-F (under created schedule)
Content Type: ALL Selected.
Rule 3 (active / default rule)
Action: DENY
FM: ALL Netoworks and Local Host
TO: ALL Netowrks and Local Host
Users: All Users
Schedule : Acitve 24 hours / 7 days
Content type: ALL
Hope that is what you were looking forward, I have created 2 schedules, Work Hours, (baskically 8-12, and 1-4PM, and Off Work, which is 4PM to 8AM.
Additionally Rule 1 and Rule 2 affect the same Computer Computer :Internet Restricted Groups"
Nothing else has changed except for management stations and the owner who is allowed as admin.
Thanks
As I explained above, these rules need to change.
the first rule should be a deny access rule and set for the hours you want the 'deny' to be effective - from 4PM-8AM and 12-1PM M-F
Your rule 2 should be the allow all users always - third rule is the default deny any
the first rule should be a deny access rule and set for the hours you want the 'deny' to be effective - from 4PM-8AM and 12-1PM M-F
Your rule 2 should be the allow all users always - third rule is the default deny any
I disagree with you Keith, for several reasons:
I believe that "Allow all users always" is not a good practice, generally speaking. When rules list becomes longer, having such rule would make everythig harder to maintain.
Second, I understood that only several clients need access to internet. If that is the case, it would be necessary to put very large group of computers in deny list. Every time new client is added to network, someone would have to modify rule.
fxkeough: As you can see, the only important difference between rules one and two is "To:" so I would suggest that you test different destinations in rule 2 and see what happens. The way you put it "To: External" should work, but you have to start from somewhere to see where is the problem.
I believe that "Allow all users always" is not a good practice, generally speaking. When rules list becomes longer, having such rule would make everythig harder to maintain.
Second, I understood that only several clients need access to internet. If that is the case, it would be necessary to put very large group of computers in deny list. Every time new client is added to network, someone would have to modify rule.
fxkeough: As you can see, the only important difference between rules one and two is "To:" so I would suggest that you test different destinations in rule 2 and see what happens. The way you put it "To: External" should work, but you have to start from somewhere to see where is the problem.
Disagree away. :)
You have your view and I'll stick to mine. Mine is based upon being a Microsoft MVP for the product for the past few years, a Microsoft Certified Trainer on the product and one who sits on the ISA Advisory Board - oh, and over three hundred installs from ISA2000 - 2006 but hey, I'm sure you know best. We are all entitled to our views..... I'm always happy to be advised though :)
Keith
You have your view and I'll stick to mine. Mine is based upon being a Microsoft MVP for the product for the past few years, a Microsoft Certified Trainer on the product and one who sits on the ISA Advisory Board - oh, and over three hundred installs from ISA2000 - 2006 but hey, I'm sure you know best. We are all entitled to our views..... I'm always happy to be advised though :)
Keith
My deepest respect.
btw. do you regularly visit all 300 installs to add new clients to deny rule?
btw. do you regularly visit all 300 installs to add new clients to deny rule?
hahaha - fair point but to explain, at this point - similar to your own comment - we are in the testing phase ie does the logic work as expected? If the logic is correct (and no offence but this is a common request which I have implemented frequently) then we can reduce the criteria of each rule down to meet the requirements.
The same approach is often used for the internal & localhost TO internal 7 localhost access rule when RPC, DNS etc play about for users. Open it up first - prove the logic then lock it down to specifics. In my own configurations i actually go too far in some people's views as I will not use the all networks or the combined protocols; I like to have one rule for each function with each having its defined user authentication as it makes troubleshooting so much simpler.
Keith
The same approach is often used for the internal & localhost TO internal 7 localhost access rule when RPC, DNS etc play about for users. Open it up first - prove the logic then lock it down to specifics. In my own configurations i actually go too far in some people's views as I will not use the all networks or the combined protocols; I like to have one rule for each function with each having its defined user authentication as it makes troubleshooting so much simpler.
Keith
ASKER
okay... this is what is working now...
moved Rule 2 to the top, it is now rule 1. ( the allow access to all internet sites)
but I think what made the difference is the change of the "TO" in the rule, from External to Internal, as this was a single NIC install there was no way for it to get back, the other rule worked because it was just allowing a specfic number of websites.
moved Rule 2 to the top, it is now rule 1. ( the allow access to all internet sites)
but I think what made the difference is the change of the "TO" in the rule, from External to Internal, as this was a single NIC install there was no way for it to get back, the other rule worked because it was just allowing a specfic number of websites.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Cheeselover is correct, both contributed to the solution. thanks, learned much.